Understanding Hash Functions: MD5, SHA-256, and Beyond

February 11, 2026 · 7 min read · Security

Hash functions are one of the most fundamental building blocks in computer science and cybersecurity. Every time you log into a website, verify a file download, mine cryptocurrency, or use a digital signature, hash functions are working behind the scenes. This guide explains what they are, how they work, and when to use different hash algorithms.

What Is a Hash Function?

A hash function takes an input of any size and produces a fixed-size output (called a hash, digest, or checksum). The same input always produces the same output, but even a tiny change in the input produces a completely different hash. This is called the avalanche effect.

Input: "Hello"        → SHA-256: 185f8db3...a9b3e42f (64 hex chars)
Input: "Hello."       → SHA-256: 7c3af781...e8d1c26a (completely different!)
Input: (1 GB file)    → SHA-256: still 64 hex characters

Properties of Good Hash Functions

Deterministic: Same input always produces the same output
Fast to compute: Hashing should be efficient (except for password hashing)
Pre-image resistant: Given a hash, you can't reverse-engineer the original input
Collision resistant: It should be practically impossible to find two different inputs that produce the same hash
Avalanche effect: A small change in input causes a drastically different output

⚡ Try it now: Generate MD5, SHA-1, SHA-256, and SHA-512 hashes with the Wootils Hash Generator.

Common Hash Algorithms

MD5 (Message Digest 5)

Produces a 128-bit (32 hex character) hash. Created in 1991, MD5 is now considered cryptographically broken — researchers have demonstrated practical collision attacks. Never use MD5 for security purposes. It's still occasionally used for non-security checksums (file integrity in trusted environments).

MD5("Hello") → 8b1a9953c4611296a827abf8c47804d7

SHA-1 (Secure Hash Algorithm 1)

Produces a 160-bit (40 hex character) hash. SHA-1 was the standard for years but was proven vulnerable to collision attacks in 2017 (Google's SHAttered project). It's deprecated for security use. Git still uses SHA-1 internally but is transitioning to SHA-256.

SHA-256 (SHA-2 Family)

Produces a 256-bit (64 hex character) hash. Part of the SHA-2 family designed by the NSA. SHA-256 is currently the gold standard for most cryptographic applications. It's used in Bitcoin, TLS certificates, digital signatures, and file integrity verification.

SHA-256("Hello") → 185f8db32271fe25f561a6fc938b2e264306ec304eda518007d1764826381969

SHA-3 (Keccak)

The newest member of the SHA family, based on a completely different internal structure (sponge construction) than SHA-2. SHA-3 provides a backup if SHA-2 is ever broken. It's not widely adopted yet because SHA-2 remains secure.

bcrypt / scrypt / Argon2 (Password Hashing)

These are deliberately slow hash functions designed specifically for password storage. Unlike SHA-256, which is designed to be fast, password hashing functions include a work factor that makes brute-force attacks computationally expensive.

bcrypt: Time-tested, widely supported, adjustable cost factor
scrypt: Memory-hard — resistant to GPU/ASIC attacks
Argon2: Winner of the Password Hashing Competition (2015) — the recommended choice for new applications

Use Cases

Password Storage

Never store passwords in plain text. Hash them with bcrypt, scrypt, or Argon2. When a user logs in, hash their input and compare it to the stored hash. Add a unique salt (random data) to each password before hashing to prevent rainbow table attacks.

Data Integrity Verification

Download a file and compare its SHA-256 hash against the published hash. If they match, the file hasn't been tampered with during transfer. Package managers (npm, pip, apt) use this automatically.

Digital Signatures

Hash the document, then encrypt the hash with a private key. Recipients can verify the signature by decrypting with the public key and comparing hashes. This proves both authenticity and integrity.

Blockchain and Cryptocurrency

Bitcoin uses SHA-256 extensively — mining involves finding inputs that produce hashes with a specific number of leading zeros. Ethereum uses Keccak-256. The immutability of blockchains relies entirely on hash function properties.

Data Deduplication

Hash files to generate unique identifiers. If two files have the same hash, they're (almost certainly) identical. Cloud storage and backup systems use this to avoid storing duplicate data.

Hash Function Comparison

Algorithm   Output    Status       Use Case
─────────   ──────    ──────────   ──────────────────
MD5         128-bit   Broken       Legacy checksums only
SHA-1       160-bit   Deprecated   Avoid for new systems
SHA-256     256-bit   Secure       General cryptography
SHA-512     512-bit   Secure       Extra security margin
SHA-3       Variable  Secure       Future-proofing
bcrypt      184-bit   Secure       Password hashing
Argon2      Variable  Secure       Password hashing (best)

Common Mistakes

Using MD5 or SHA-1 for security: Both are broken. Use SHA-256 minimum.
Using fast hashes for passwords: SHA-256 is too fast for passwords. Use bcrypt/Argon2.
No salt for password hashing: Without salt, identical passwords produce identical hashes, enabling rainbow table attacks.
Confusing hashing with encryption: Hashing is one-way. Encryption is two-way. You can't "decrypt" a hash.
Rolling your own crypto: Use established libraries. Don't invent custom hashing schemes.

Conclusion

Hash functions are everywhere in modern computing. Use SHA-256 for general-purpose hashing, Argon2 or bcrypt for passwords, and never use MD5 or SHA-1 for anything security-related. Understanding hash functions helps you make better decisions about data integrity, authentication, and system security.

🔧 Related Wootils Tools:
Hash Generator · Password Generator · Base64 Encoder · JWT Decoder